Action Items· Draft a recommendation of trust criteria for CAs· Schedule a follow-up meetingo Get more representation from Sec & Trust WG next time – will enhance future conversationso Need to get more focused for the next meeting – set agenda with specific questions in advance

Notes:· Don – what we feel comfortable with is something in between. Not *more* assurance – but appropriate. Declaration that allows a CA to say “this entity is subject to HIPAA regulation, is a covered entity, etc…”· Brett – in reading thread and on CAB, the expense that the CA would have to pass on for identity and organizational verification, might turn into a catch-22. Especially if we go to an individual verification model. · Greg – not just cost, but also the operational difficulties of how do you know when new entities that must be trusted (or not) come into the marketplace· John – some parts of CAB that require you to attest to (like bank accounts) are less necessary when there are additional requirements like BAAs.· Arien – range of what we could do: no recommendation, set of principles, specific recommendationso Here are things that you should consider when looking at a CAo Here is a list of root CAs· ?? – CAB policy wants to help you both trust the CA, and the entity to which they’ve issues a certificate· Pat – Cert policy – if this identify is used to transmit health information, and you are covered under HIPAA legislation. How does an individual CA determine which other CAs to trust?o Criteria for trusto How do you know when other CAs come into the marketplace?· Guy – could we look into Bridges? Federal bridges? Other bridges?· ?? – Cross certified certificates happen by querying the OID. Don’t reinvent the wheel.· Pat – Not suggesting the federal bridge is not workable. There might just need to be some changes to make it workable for Healthcare exchange.· ?? – are the needs and cost covering requirements of the federal entities in line with rural doctor capabilities?· ?? – there are plenty of commercial CAs that are cross certified with the bridge.· Pat – hoops that have to be jumped through to get a cert are there to mitigate risk inherent in transmitting PHI. Risk profile doesn’t change (but volume does) if you’re a single doctor vs. a large hospital· Don – question for Verizon – how would you extend the cert to know if it was for a covered entity· ?? – HIPAA HITECH needs NIST level 3 assurance. Strong multifactor authentication of the human subject. · ?? – certs generally issued with 1 year lifetime. That’s too long for hospitals – too much latency.· ?? – need approach for Trust Anchors. Recommendation would be to leverage existing systems like the Federal Bridge. Separate topic of authorization vs. identity. · Brett – Are we predicating this discussion on the fact that individuals might want to contact individuals that don’t already have a relationshipo Maybe the right way is to handle this out of bando Our charge should be to make recommendations about how to decide if you should trust someone· ?? – is Direct an island on its own for trust?